© 2024 SkillPoint IT. All rights reserved.
Module 7: Implementing Group Policy in Windows Server
What Is Group Policy?
Group Policy is a framework that uses Group Policy Objects (GPOs) to apply configuration settings to:
Users
Computers
Organizational Units (OUs)
These settings are pushed from the domain controllers to the client systems during login or computer startup.
Benefits of Implementing Group Policy
Centralized configuration management
Improved security (e.g., account lockout, firewall, password policies)
Consistency across systems
Reduced support calls and manual setup
Automated deployment of software and updates
Steps to Implement Group Policy
Step 1: Open Group Policy Management
Go to Server Manager > Tools > Group Policy Management
Step 2: Create a New GPO
Right-click your domain or OU > Create a GPO in this domain and Link it here
Name the GPO (e.g.,
SecurityPolicy-GPO)
Step 3: Edit the GPO
Right-click the GPO > Edit
Use the Group Policy Management Editor to configure:
Computer Configuration (e.g., security settings, scripts)
User Configuration (e.g., desktop restrictions, control panel access)
Step 4: Apply GPO to Specific Users or Computers
Use Security Filtering or WMI Filters for targeted application.
Step 5: Update Policies on Clients
Run
gpupdate /forceon client machinesOr restart the system to apply settings
- Introduction to Group Policy
- Group Policy Enables You to:
- Set centralized and decentralized policies
- Ensure users have their required environments
- Lower total cost of ownership by controlling user and computer environments
- Enforce corporate policies
Understanding Group Policy Structure in Windows Server
Understanding the structure of Group Policy is essential for effective network management. Group Policy provides a hierarchical, flexible framework for applying rules and settings to users and computers within an Active Directory (AD) environment.
Core Components of Group Policy Structure
Group Policy Object (GPO):
A GPO is a collection of settings that control the working environment of users and computers. It can be linked to:Sites
Domains
Organizational Units (OUs)
Group Policy Management Console (GPMC):
The central tool for creating, editing, linking, and managing GPOs.Organizational Units (OUs):
OUs are containers in Active Directory that hold users, groups, and computers. GPOs are often applied at the OU level for better targeting and control.Group Policy Templates (ADMX/ADML):
These define the registry-based policy settings visible in GPMC.
Group Policy Processing Order
Group Policies apply in the following order (last wins):
Local GPO (on the individual machine)
Site-level GPOs
Domain-level GPOs
OU-level GPOs (and nested OUs, if applicable)
✅ Tip: If multiple GPOs conflict, the one applied later (closer to the object) takes precedence unless overridden by No Override or blocked inheritance.
GPO Inheritance and Precedence
Inheritance: Lower-level OUs inherit policies from higher-level containers unless blocked.
Block Inheritance: Prevents GPOs from parent containers from applying.
Enforced (No Override): Ensures a GPO applies regardless of lower-level settings.
Security Filtering and WMI Filtering
Security Filtering: Apply GPOs only to specific users/groups.
WMI Filtering: Use system properties (like OS version) to conditionally apply GPOs.
- Types of Group Policy Settings
| Administrative Templates | Registry-based Group Policy settings |
| Security | Settings for local, domain, and network security |
| Software Installation | Settings for central management of software installation |
| Scripts | Startup, shutdown, logon, and logoff scripts |
| Remote Installation Services | Settings that control the options available to users when running the Client Installation wizard used by RIS |
| Internet Explorer Maintenance | Settings to administer and customize Microsoft Internet Explorer on Windows 2012–based computers |
| Folder Redirection | Settings for storing of users’ folders on a network server |
- Group Policy Objects
- Group Policy Settings for Computers and Users
- Group Policy Settings for Computers:
- Specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settings
- Apply when the operating system initializes and during the periodic refresh cycle
- Group Policy Settings for Users:
- Specify operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and user logon and logoff scripts
- Apply when users log on to the computer and during the periodic refresh cycle
- Group Policy Objects and Active Directory Containers
- GPO Settings Affect User and Computer Objects Within Sites, Domains, and OUs to Which a GPO Is Linked
- You can link one GPO to multiple sites, domains, or OUs
- You can link multiple GPOs to one site, domain, or OU
Working with Group Policy Objects (GPOs) in Windows Server
Group Policy Objects (GPOs) are the building blocks of Group Policy in Active Directory environments. They define rules and settings that are automatically applied to users and computers within the scope of a domain, OU (Organizational Unit), or site.
What Is a GPO?
A GPO is a set of registry-based policies that control user environments and system behavior. GPOs can configure security settings, software installation, login scripts, folder redirection, and much more.
Where GPOs Are Applied
GPOs can be linked to the following Active Directory containers:
Sites
Domains
Organizational Units (OUs)
Multiple GPOs can be linked to a single container, and one GPO can be linked to multiple containers.
How to Work with GPOs Using GPMC
Step 1: Open Group Policy Management Console
Go to Server Manager > Tools > Group Policy Management
Step 2: Create a New GPO
Right-click on a domain or OU > Create a GPO in this domain, and Link it here
Name the GPO clearly (e.g.,
Workstation Security Policy)
Step 3: Edit the GPO
Right-click the GPO > Edit
Use the Group Policy Editor to configure:
Computer Configuration settings
User Configuration settings
Step 4: Link and Apply GPO
Right-click on any domain/OU > Link an existing GPO
Use Security Filtering or WMI Filtering for precise targeting
- Creating Linked Group Policy Objects
- To Apply Group Policy to a Container, Create a GPO Linked to the Container:
- Create GPOs linked to domains and OUs by using Active Directory Users and Computers
- Create GPOs linked to sites by using Active Directory Sites and Services
- Creating Unlinked Group Policy Objects
- Linking an Existing Group Policy Object
- Specifying a Domain Controller for Managing Group Policy Objects
- When You Create a New GPO or Edit an Existing GPO, by Default, the Domain Controller That Holds the PDC Emulator Role Performs the Operation
- The Options Available to Specify a Domain Controller for Managing GPOs Include:
- The one with the Operations Master token for the PDC emulator
- The one used by the Active Directory snap-ins
- Use any available domain controller
- To Specify a Domain Controller for Managing Group Policy Objects:
- Use the DC Options command on the View menu in the Group Policy snap-in
- Enable a Group Policy setting that specifies which domain controller should be used
How Group Policy Settings Are Applied in Active Directory: Order, Inheritance & Precedence
Group Policy in Active Directory (AD) allows administrators to control user and computer settings across the network. But when multiple Group Policy Objects (GPOs) are in place, understanding how settings are applied and prioritized is crucial to avoid conflicts and ensure consistent policy enforcement.
- Group Policy Inheritance
- Windows 2012 Applies GPO Settings in a Specific Order
- Child Containers Inherit GPO Settings from Parent Containers
- How Group Policy Settings Are Processed
- The GetGPOList Function Executes on the Client Computer During:
- Computer startup to determine which GPOs contain computer configurations settings to be applied
- User logon to determine which GPOs contain user configurations settings to be applied
- Controlling the Processing of Group Policy
- Synchronous and Asynchronous Processing
- By default, the processing of Group Policy is synchronous
- You can change the processing of Group Policy to asynchronous by using a Group Policy setting for both computers and users
- Refreshing Group Policy at Established Intervals of:
- 90 minutes for computers configured as domain controllers and running Windows 2012 Professional and for member servers running Windows 2012 Server
- 5 minutes for domain controllers
- Processing Unchanged Group Policy Settings
- You can configure each client-side extension to process all applicable Group Policy settings
- Group Policy and Slow Network Connections (Links)
- Group Policy Can Detect a Slow Link
- Group Policy Uses an Algorithm to Determine Whether a Link Should Be Considered Slow
- Group Policy Sets a Flag to Indicate a Slow Link to the Client-side Extensions
- Resolving Conflicts Between Group Policy Settings
- All Group Policy Settings Apply Unless There Are Conflicts
- The Last Setting Processed Applies
- When settings from different GPOs in the Active Directory hierarchy conflict, the child container GPO settings apply
- When settings from GPOs linked to the same container conflict, the settings for the GPO highest in the GPO list apply
- A Computer Setting Applies When It Conflicts with a User Setting
- Class Discussion: How Group Policy Is Applied
- GPO1 ensures that Favorites appears on the Start menu
- GPO2 and GPO3 require a password of 11 characters and remove the Windows Update icon
- GPO4 removes Favorites from the Start menu and adds the Windows Update icon
- What are the resultant Group Policy settings for the OU?
- Class Discussion: How Group Policy Is Applied 2
- What are the resultant Group Policy settings for the OU?
- A password must be at least 11 characters long
- The Windows Update icon appears on the Start menu
- Favorites does not appear on the Start menu
Enabling Block Inheritance in Group Policy: Control Unwanted GPOs
In a complex Active Directory environment, it’s common for multiple Group Policy Objects (GPOs) to be applied at different levels — domain, OU, and sub-OU. When lower-level OUs need to opt out of inherited policies, the Block Inheritance feature comes into play.
What Is Block Inheritance?
Block Inheritance is a setting that prevents a container (usually an Organizational Unit) from inheriting Group Policy settings from parent containers like:
Domains
Sites
Higher-level OUs
It gives more granular control over which GPOs apply to a specific part of the directory.
When to Use Block Inheritance
You want to prevent domain-wide policies from affecting a sensitive OU
You’re testing new GPOs and want to isolate them
You want department-specific GPOs to apply without conflict
Note: Block Inheritance does not stop Enforced (No Override) GPOs from applying.
How to Enable Block Inheritance
Step-by-Step in Group Policy Management Console (GPMC):
Open Group Policy Management (
gpmc.msc)Expand your domain, and locate the Organizational Unit (OU) you want to protect
Right-click the OU and select Block Inheritance
A small blue exclamation icon will appear on the OU in GPMC indicating it’s blocked
That’s it! The OU will now ignore all GPOs from parent containers — unless a GPO is Enforced.
- Enabling Block Inheritance
=> Stops inheritance of all GPOs from all parent containers
=> Cannot selectively choose which GPOs are blocked
=> Cannot stop No Override
- Enabling No Override
=> Overrides Block Inheritance and GPO conflicts
=> Should be set high in the Active Directory tree
=> Is applicable to links and not to GPOs
=> Enforces corporate-wide rules
- Filtering Group Policy Settings
=> Explicitly denying the Apply Group Policy permission
=> Omitting an explicit Apply Group Policy permission
- Class Discussion: Changing Group Policy Inheritance
=> An anti-virus application must be installed on all computers in the domain
=> The Office suite must be installed on all computers in the domain, except for those in the Payroll department
=> An accounting application must be installed on all client computers in the Payroll department, except for the computers used by the Payroll OU administrators
=> How do you set up your GPOs?
=> A GPO linked to the domain with the anti-virus application settings configured and the link configured with No Override
=> A GPO linked to the domain that installs the Office suite
=> Enable Block Inheritance for the Payroll OU
=> A GPO linked to the Payroll OU to install the accounting application
=> Modify the DACL of the GPO linked to the Payroll OU to deny the Apply Group Policy permission for the computer accounts used by the Payroll OU administrators
Delegating Administrative Control of Group Policy in Active Directory
Delegation is a key concept in Active Directory administration. It allows IT teams to assign limited administrative responsibilities to users or groups—such as managing Group Policy Objects (GPOs)—without giving them full domain privileges.
Why Delegate Group Policy Control?
Benefits:
Improves security through least privilege
Enhances productivity by offloading tasks to responsible team members
Promotes role-based access control
Reduces risk of accidental domain-wide changes
Common Use Cases for Group Policy Delegation
Helpdesk staff resetting user login policies
HR managing login banners or password settings for a specific OU
Network team applying workstation-specific GPOs
Department managers requesting GPO changes for their unit
- Enable a User to Manage Group Policy Links for a Site, Domain, or OU by:
- Assigning the user read and write permissions to the gPLink and gPOptions attributes of the site, domain, or OU
- Using the Delegation of Control wizard
- Enable a User or Group to Create GPOs by:
- Adding the user or group to the Group Policy Creator Owners group
- Enable a User to Edit GPOs by:
- Assigning the user read and write permissions to the GPO
- Making the user a member of either Domain Admins, Enterprise Admins, or GPO Creator Owners groups
- Granting the user access to the GPO by using the Security tab in the GPO Properties dialog box
Monitoring and Troubleshooting Group Policy
- Monitoring Group Policy
- Enabling Diagnostic Logging to the Event Log
- Causes Group Policy to generate detailed events in the Event Log
- Enabling Verbose Logging
- Tracks all changes and settings applied to the local computer and the users who log on to the computer
- Involves the addition of the registry keys for verbose logging
- Group Policy Troubleshooting Tools
- Windows 2012 Support Tools for Group Policy Troubleshooting:
- Netdiag.exe
- Replmon.exe
- Windows 2012 Resource Kit Tools for Group Policy Troubleshooting:
- Gpotool.exe
- Gpresult.exe
- Troubleshooting Group Policy
- Cannot Access or Open the Group Policy Object
- Group Policy Settings Not Taking Effect as Expected
Best Practices
Limit the Use of Blocking, No Override, and Filtering of GPOs
Group Policy Settings Not Taking Effect as Expected
Group Policy Settings Not Taking Effect as Expected
Group Policy Settings Not Taking Effect as Expected
Group Policy Settings Not Taking Effect as Expected
Add comment